Skip to main content

Entra ID SCIM

Bitrise supports automatic user and group provisioning via SCIM 2.0 with Microsoft Entra ID. Once configured, Entra ID becomes the authoritative source for workspace membership: users and group assignments are pushed to Bitrise automatically, and removing a user in Entra deactivates their access on Bitrise.

SCIM requirementsClick to copy link

  • SCIM provisioning requires an Enterprise plan.
  • You must have SAML SSO configured between Bitrise and Entra ID before enabling SCIM.
  • You must have a verified domain. Domain verification can take up to 72 hours. SCIM credentials cannot be generated until at least one domain is verified.
  • You will need both the Bitrise workspace owner and an Entra ID administrator available during setup.

Setting up SCIMClick to copy link

The setup consists of three steps:

  1. Generating SCIM credentials on Bitrise.
  2. Configuring SCIM provisioning in Entra ID.
  3. Verifying the connection.

Generating SCIM credentials on BitriseClick to copy link

  1. Log in to Bitrise and hover over the left navigation bar.

  2. Make sure you have the right workspace selected in the Workspace menu.

  3. Select Settings.

    workspace-settings.png

  4. Select Single sign-on from the left menu.

  5. Select the SCIM tab.

  6. Click Generate SCIM credentials.

  7. Copy and save both values shown in the dialog:

    • SCIM base URL
    • SCIM authentication token

    The token is not displayed again after you close the dialog. If you lose it, you can regenerate it, but doing so immediately invalidates the previous token.

Configuring SCIM provisioning in Entra IDClick to copy link

Bitrise is not a gallery app in Entra ID. Use Microsoft's tutorial for configuring SCIM with non-gallery applications and apply the following Bitrise-specific values:

When configuring Provisioning Mode, select Automatic. Use Sync only assigned users and groups to control which users and groups are pushed to Bitrise.

Enable Push Groups

Workspace membership on Bitrise is managed through groups. You must enable group provisioning (Push Groups) so that Entra ID can manage group membership in Bitrise. Without it, users will be provisioned but not added to any group.

Verifying the connectionClick to copy link

Click Test Connection in the Entra ID provisioning configuration. This queries the Bitrise /ServiceProviderConfig endpoint and confirms that the credentials are valid. A successful test means Entra ID can reach Bitrise and authenticate correctly.

Attribute mappingClick to copy link

Bitrise implements the SCIM 2.0 Core User Schema and Core Group Schema (RFC 7643/7644). Entra ID's default attribute mapping works without custom transforms.

Supported user attributes:

  • userName: unique identifier for the user; Entra ID maps this to the user's User Principal Name (UPN), which typically matches their email address
  • emails: the user's email address(es)
  • name.givenName: first name
  • name.familyName: last name
  • active: whether the user is active; set to false to deprovision
  • externalId: the user's stable, opaque ID assigned by Entra ID; remains constant even if the user's UPN changes

Supported group attributes:

  • displayName: the group's name in Entra ID
  • members: the list of users in the group

For workspace role assignment via the roles attribute, see Managing workspace roles via SCIM.

Group behaviorClick to copy link

Name matching: When Entra ID pushes a group, Bitrise links it to an existing group with the same name, or creates a new one. Matching is case-sensitive and exact. ios_dev and iOS Dev are treated as different groups. Make sure group names in Entra ID match your existing Bitrise group names exactly before enabling sync.

Entra ID becomes authoritative for membership: Once Entra ID is syncing a group, it controls that group's membership. Any members added manually in Bitrise who are not in the corresponding Entra ID group will be removed on the next sync.

Protected groups: Global Access groups and SAML default groups cannot be deleted via SCIM. Keep these groups out of Entra ID's sync scope to avoid unintended membership changes.

User provisioning behaviorClick to copy link

No email activation step: Users provisioned via SCIM on a verified domain are created in a confirmed, active state immediately. They do not receive an email activation link from Bitrise. On first login they are redirected directly to the Entra ID SSO flow.

Default workspace role: All SCIM-provisioned users receive the Workspace Viewer role by default, which does not include Bitrise CI product access. To assign a different role at provisioning time, configure the roles attribute in Entra ID. See Managing workspace roles via SCIM.

Deprovisioning behaviorClick to copy link

When you remove a user's assignment in Entra ID, or Entra ID sends a PATCH active:false or DELETE request:

  • The user is removed from the workspace and from all their groups within it simultaneously.
  • Their personal access tokens remain active but lose access to all resources in the workspace.
  • Their workflows and secrets are preserved and not reassigned automatically.
  • The seat is freed immediately.

Re-provisioning a deprovisioned user: A deprovisioned user's account is not deleted; they are removed from the workspace. Re-provisioning them via SCIM with the same email is supported, once they are assigned again in Entra ID, it can manage their group membership via SCIM as normal.

Migrating existing workspace membersClick to copy link

SCIM is push-based. Bitrise only acts on requests Entra ID sends. Existing workspace members who are not assigned in Entra ID are not touched and remain in the workspace.

To migrate an existing workspace with members and groups:

  1. Verify all relevant email domains before enabling SCIM.
  2. Align Entra ID group names to match your existing Bitrise group names exactly.
  3. Enable SCIM with Sync only assigned users and groups in Entra ID.
  4. Assign a small pilot group first to validate end-to-end, then expand incrementally.

There is no dry-run or preview mode. The incremental pilot approach is the practical equivalent.

Users on unverified domainsClick to copy link

Users whose email is on a domain that has not been verified in Bitrise cannot be managed via SCIM. Any attempt to provision or modify them will be rejected. Exclude those users from Entra ID's assignment scope until their domain is verified.

To verify additional domains, go to Workspace Settings and add each domain under Domain verification. Each domain must be verified separately.